With the new version of IDW PS 340, a significant expansion of the requirements for company-wide risk management was formulated. This was preceded by heated discussions about aspects such as risk-bearing capacity and risk aggregation. Basically, these are discussions about the methodology of the risk management system and also to what extent and at which process steps quantitative approaches are useful and / or necessary.

For many risk managers, these requirements mean a significant adjustment of the previous risk management in the company, which they have to cope with in addition to everyday tasks. In our IDW PS 340 n.F. White Paper you will learn how you can implement the requirements from the audit standard with the help of Alyne Software as a Service and how you can bring your risk management up to date.

Download White Paper

Compliance is ever-changing. It is an extremely broad area with many different meanings and evolving requirements. Before, compliance was primarily confined to the financial services sector, but now it has become a fundamental cornerstone of all organisations, no matter the industry. Businesses are faced with a variety of regulations, directives and laws that define their daily operations, covering a wide range of areas – from data protection in the HR department to tax and corruption in the finance department.

For all organisations aiming for successful compliance processes there is a lot at stake. Managing these often leaves compliance teams facing questions on how to integrate all required regulations, keep their costs down and maintain programs that enable the organisation to easily adapt to change. Feeling lost in a sea of spreadsheets and paperwork with no view of real transparency is not uncommon for many enterprises.

As the world shifts and business environments change, the need for digital compliance management that can provide efficiency, clarity and collaboration across different business functions is becoming increasingly hard to ignore.

If your organisation is still reliant on manual compliance management, chances are information is segmented and your compliance work is not as integrated as it should be. These approaches usually result in blind spots that prevent compliance managers, across various functions, from working together seamlessly. As a result, companies often overlook key information or insights that can potentially help them work towards achieving compliance with fewer resources and effort.

Compliance work is more effective when addressing standards and regulations by their commonalities, rather than individually. A smart compliance process is one that encompasses a holistic integrated approach towards managing compliance, vertically and horizontally.

At Alyne, we understand the need to simplify, digitalise and automate processes to minimise guesswork as well as foster collaboration across your organisation; all while maintaining transparency and consistency across your Control Framework.

Speak to an expert to learn more about Mitratech’s Regulatory Compliance Technology.

The first codification of internal accounting controls happened nearly four decades ago, spurred on by the increasing bribery and corruption cases of U.S. businesses in 1977.  Since then, and more notoriously due to the Enron Accounting scandal and others, the requirements of financial controls and reporting have slowly become more clearly defined and enforced. The Sarbanes-Oxely Act (SOX) has been in effect for all U.S. listed companies and those conducting business in the U.S since 2002, as a means to prevent and protect against accounting errors and fraudulent practices. Section 404 requires the implementation of adequate Internal Control over Financial Reporting (ICFR) within listed companies to guarantee fair financial reporting practices in accordance with Generally Accepted Accounting Principles (GAAP). External auditors must attest to the design and effectiveness of Internal Control over Financial Reporting and the accuracy of an organisation’s financial statements.

Although there is mention above of requirements becoming “more clearly defined”, the actual requirements on how to achieve compliance are not so simple and SOX is not praised for straightforward guidance on how best to achieve compliance. The Sarbanes-Oxley Act, despite requiring organisations to have established and effective internal controls governing both IT and financial spheres, does not provide a checklist to follow, nor milestones to measure achievements. The ambiguity of SOX requirements has been widely condemned due to its vague nature, let alone the missing differentiation between key process parts.

Despite the lack of a clearly defined control framework from SOX, two leading organisations responsible for implementing SOX, namely the SECC and PCAOB – do point to common widely accepted frameworks, such as COSO and COBIT, and even a combination of the two, to adopt in your quest for SOX Compliance and ensuring ICFR. Combining frameworks can also help ensure that all aspects are covered in your SOX compliance checklist and help your organisations to meet ICFR requirements, as listed in Section 404.

COSO, COBIT, SOX & ICFR

Committee of Sponsoring Organisations of Treadway Commission (COSO) – 1985

The COSO framework provides an applied risk management approach to internal controls and articulates key concepts that organisations can use to deter fraud. The framework also places emphasis on financial related controls, designed to enable SOX 404 requirements of ICFR. The framework, however, lacks full consideration for the IT environment of the organisation. According to COSO, there are three types of internal controls:

• Those that affect a company’s operation
• Those that affect a company’s compliance with laws and regulations.
• Those that affect a company’s financial reporting. (ICFR)

Control Objectives for Information and Related Technology (COBIT) – 1992

COBIT is an IT Management framework developed by ISACA, which provides a clear path for developing policies and good practice for IT control, helping organisations achieve their objectives in the sphere of information technology. The COBIT model allows managers to bridge the gap between control requirements, technical isssues and business risks.

Sarbanes-Oxley Act (SOX) – 2002

• Section 404 – Internal Control over Financial Reporting

SOX applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. The Internal Controls Report, mandated by Section 4 of the Act, commonly known as SOX 404, requires that all applicable companies have adequate internal controls in place to report accurate financial data in their annual reports. More specifically, SOX 404 requires companies to implement adequate Internal Control over Financial Reporting (ICFR) to ensure fair financial reporting practices have been put in place in accordance with Generally Accepted Accounting Principles (GAAP).

SOX Compliance and Meeting ICFR Requirements within Alyne

In an interconnected world, financial integrity relies heavily on a secure, properly functioning IT infrastructure. The ability to follow your finances requires full transparency and assurance of where and how your data flows. Meeting ICFR requirements set out in SOX 404, requires an organisation to have not only sound Financial Controls, focusing on the financial integrity of an enterprise, but also cover relevant Business Controls, with IT and information security related topics.

Covered within Alyne:

• Full mapping based on COBIT-COSO.

• Extensive IT and Information Security related controls.

• Library of Financial Controls focused purely on the financial integrity of an enterprise.

ICFR Control Set and Assessment Template:

The content available within the Alyne platform has enabled us to release an out-of-the-box Control Set for ICFR: Internal Control over Financial Reporting (ICFR) for compliance with SOX and SOC 1.

In addition to the Control Set, Alyne offers an out-of-the-box Assessment Template with pre-configured maturity levels which help corporations assess the maturity of their financial integrity. Regular self-assessments help organisations review compliance within their financial reporting requirements and assists them in strengthening their Internal Control over Financial Reporting. Alyne’s latest Internal Control over Financial Reporting capability allows a complete health-check of your company as well as your vendor base, for both SOX and SOC 1 compliance.

Download our latest white paper and learn more about SOX/SOC-in-a-Box and how Alyne can help your organisation with the Internal Control over Financial Reporting (ICFR) requirements of the U.S. Sarbanes- Oxley Act (SOX) “Management Assessment of Internal Controls”, and the System and Organisation Controls 1 (SOC 1) framework, defined as “Reporting on an Examination of Controls at a Service Organisation Relevant to User Entities’ Internal Control Over Financial Reporting.”

HIPAA Compliance

Although the Health Insurance and AccountabiIity Management Act (HIPAA) was first enacted into law in 1996, compliance still remains an often challenging task, leaving many Covered Entities and business associates lacking the appropriate measures and still unsure of how to comply with all HIPAA Rules set out in Part 164. The law was designed to provide consumers with greater access to healthcare insurance, reduce fraud, protect the privacy and security of healthcare information and promote efficiency and standardisation within the sector. The HIPAA regulations apply to any Covered Entities which handles health or healthcare-related data, including financial clearinghouses, and any provider that uses or transmits Personal Health Information (PHI).

According to a report by Research and Markets, the global mobile health app market is expected to hit US$134.7 Billion by 2027. In fact, two-thirds of the world’s largest hospitals offer mobile apps to their patients. With the rise of telehealth, the need for data security in the healthcare space has increased the use and sharing of patients’ Electronics Health Record (EHR).

The proliferation of digital technologies has changed the way that many healthcare providers operate. As efficiency and connectivity increased, so did the storage and transmission of key pieces of confidential health information, mandating an even greater need for the security and privacy of patients’ information. HIPAA regulates the security, privacy and protection of Personal Health Information (PHI) held by the covered entities and third parties, and provides individuals with rights to understand and control how their health information is used or disclosed.

HIPAA Privacy Rules

The HIPAA Privacy Rule (Part 164 Subpart E) focusses on the many uses and disclosures of Personal Health Information (PHI) and Personally Identifiable Information (PII) with data subject rights. This includes medical records and other personal health information, and it applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically.

HIPAA Security Rules

The HIPAA Security Rule (Part 164 Subpart C) is the security standard for the protection of electronic PHI (e-PHI). This set of rules ensures that there are both technical and non-technical safeguards (which include administrative and physical) to ensure that ePHI is transmitted and handled in a secured and responsible manner.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule (Part 164 Subpart D) requires Covered Entities and their Business Associates to notify affected individuals and the media of a breach of unsecured PHI. Depending on its severity, if the data breach affects 500 and more individuals, the Secretary of Health and Human Services has to be informed no later than 60 days following the breach.

Technology can be a great facilitator to help simplify requirements, provide greater risk transparency, educate and train employees, and even act as a centralised source of data, alleviating pressure from the audit process. Are you interested in learning more about Alyne’s capabilities and comprehensive mapping of Part 164 of the HIPAA regulation?

Download HIPAA Whitepaper here or  Speak to an expert to learn more. https://mitratech.com/schedule-demo/.